Ansible Role: sshd

Description

This role provides secure ssh-client and ssh-server configurations. It is intended to be compliant with the DevSec SSH Baseline.
The role is a fork of arillso.sshd.

Installation

ansible-galaxy collection install community.crypto
ansible-galaxy install skriptfabrik.sshd

Requirements

None

Role Variables

ssh_ipv6_enable

true if IPv6 is needed

ssh_ipv6_enable: '{{ network_ipv6_enable | default(false) }}' # sshd + ssh

ssh_server_enabled

true if sshd should be started and enabled

ssh_server_enabled: true # sshd

ssh_use_dns

true if DNS resolutions are needed, look up the remote host name, defaults to false from 6.8, see: http://www.openssh.com/txt/release-6.8

ssh_use_dns: false # sshd

ssh_compression

true or value if compression is needed

ssh_compression: false # sshd

ssh_hardening

For which components (client and server) to generate the configuration for. Can be useful when running against a client without an SSH server.

ssh_client_hardening: true # ssh
ssh_server_hardening: true # sshd

ssh_client_password_login

If true, password login is allowed

ssh_client_password_login: false # ssh
ssh_server_password_login: false # sshd

ssh_server_ports

ports on which ssh-server should listen

ssh_server_ports: ['22'] # sshd

ssh_client_port

port to which ssh-client should connect

ssh_client_port: '22' # ssh

ssh_listen_to

one or more ip addresses, to which ssh-server should listen to. Default is empty, but should be configured for security reasons!

ssh_listen_to: ['0.0.0.0'] # sshd

ssh_host_key_files

Host keys to look for when starting sshd.

ssh_host_key_files: [] # sshd
#  - path: "{{ sshd_config_path }}/ssh_host_rsa_key"
#    private_key: |
#      xxxxxxxxxxxxx
#      xxxxxxxxxxxxx
#      xxxxxxxxxxxxx
#    public_key: |
#      xxxxxxxxxxxxx
#      xxxxxxxxxxxxx
#      xxxxxxxxxxxxx
#    size: 8192
#    type: rsa

ssh_force_create_host_key_files

Force the creation of host key files.

ssh_force_create_host_key_files: false # sshd

ssh_max_auth_retries

Specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged.

ssh_max_auth_retries: 2

ssh_client_alive_interval

ssh_client_alive_interval: 300 # sshd

ssh_client_alive_count

ssh_client_alive_count: 3 # sshd

ssh_permit_tunnel

Allow SSH Tunnels

ssh_permit_tunnel: false

ssh_remote_hosts

Hosts with custom options. # ssh

ssh_remote_hosts: []

# Example

ssh_remote_hosts:
  - names: ['example.com', 'example2.com']
    options: ['Port 2222', 'ForwardAgent yes']
  - names: ['example3.com']
    options: ['StrictHostKeyChecking no']

ssh_allow_root_with_key

Set this to "without-password" or "yes" to allow root to login

ssh_allow_root_with_key: 'no' # sshd

ssh_allow_tcp_forwarding

false to disable TCP Forwarding. Set to true to allow TCP Forwarding.

ssh_allow_tcp_forwarding: false # sshd

ssh_gateway_ports

false to disable binding forwarded ports to non-loopback addresses. Set to true to force binding on wildcard address.

Set to 'clientspecified' to allow the client to specify which address to bind to.

ssh_gateway_ports: false # sshd

ssh_allow_agent_forwarding

false to disable Agent Forwarding. Set to true to allow Agent Forwarding.

ssh_allow_agent_forwarding: false # sshd

ssh_pam_support

true if SSH has PAM support

ssh_pam_support: true

ssh_use_pam

false to disable pam authentication.

ssh_use_pam: false # sshd

ssh_google_auth

false to disable google 2fa authentication

ssh_google_auth: false # sshd

ssh_pam_device

false to disable pam device 2FA input

ssh_pam_device: false # sshd

ssh_gssapi_support

true if SSH support GSSAPI

ssh_gssapi_support: false

ssh_kerberos_support

true if SSH support Kerberos

ssh_kerberos_support: true

ssh_deny_users

if specified, login is disallowed for user names that match one of the patterns.

ssh_deny_users: '' # sshd

ssh_allow_users

if specified, login is allowed only for user names that match one of the patterns.

ssh_allow_users: '' # sshd

ssh_deny_groups

if specified, login is disallowed for users whose primary group or supplementary group list matches one of the patterns.

ssh_deny_groups: '' # sshd

ssh_allow_groups

if specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns.

ssh_allow_groups: '' # sshd

ssh_authorized_keys_file

change default file that contains the public keys that can be used for user authentication.

ssh_authorized_keys_file: '' # sshd

ssh_trusted_user_ca_keys_file

specifies the file containing trusted certificate authorities public keys used to sign user certificates.

ssh_trusted_user_ca_keys_file: '' # sshd

ssh_trusted_user_ca_keys

set the trusted certificate authorities public keys used to sign user certificates.

ssh_trusted_user_ca_keys: [] # sshd

Example

ssh_trusted_user_ca_keys:
  - 'ssh-rsa ... comment1'
  - 'ssh-rsa ... comment2'

ssh_authorized_principals_file

specifies the file containing principals that are allowed. Only used if ssh_trusted_user_ca_keys_file is set.

ssh_authorized_principals_file: '' # sshd

Example

ssh_authorized_principals_file: '/etc/ssh/auth_principals/%u'

%h is replaced by the home directory of the user being authenticated, and %u is replaced by the username of that user. After expansion, the path is taken to be an absolute path or one relative to the user's home directory.

ssh_authorized_principals

list of hashes containing file paths and authorized principals. Only used if ssh_authorized_principals_file is set.

ssh_authorized_principals: [] # sshd

Example

ssh_authorized_principals:
  - {
      path: '/etc/ssh/auth_principals/root',
      principals: ['root'],
      owner: '{{ ssh_owner }}',
      group: '{{ ssh_group }}',
      directoryowner: '{{ ssh_owner }}',
      directorygroup: '{{ ssh_group}}',
    }
  - {
      path: '/etc/ssh/auth_principals/myuser',
      principals: ['masteradmin', 'webserver'],
    }

ssh_print_motd

false to disable printing of the MOTD

ssh_print_motd: false # sshd

ssh_print_last_log

false to disable display of last login information

ssh_print_last_log: false # sshd

ssh_banner

false to disable serving /etc/ssh/banner.txt before authentication is allowed

ssh_banner: false # sshd

ssh_print_debian_banner

false to disable distribution version leakage during initial protocol handshake

ssh_print_debian_banner: false # sshd (Debian OS family only)

ssh_sftp_enabled

true to enable sftp configuration

ssh_sftp_enabled: '{{ sftp_enabled | default(false) }}'

ssh_sftp_chroot

false to disable sftp chroot

ssh_sftp_chroot: '{{ sftp_chroot | default(true) }}'

ssh_sftp_chroot_dir

change default sftp chroot location

ssh_sftp_chroot_dir: "{{ sftp_chroot_dir | default('/home/%u') }}"

If true, password login for SFTP is allowed

ssh_server_sftp_password_login: false
ssh_server_sftp_password_login: true

ssh_client_roaming

enable experimental client roaming

ssh_client_roaming: false

ssh_server_match_user

list of hashes (containing user and rules) to generate Match User blocks for.

ssh_server_match_user: false # sshd

ssh_server_match_group

list of hashes (containing group and rules) to generate Match Group blocks for.

ssh_server_match_group: false # sshd

ssh_server_match_address

list of hashes (containing addresses/subnets and rules) to generate Match Address blocks for.

ssh_server_match_address: false # sshd

ssh_server_permit_environment_vars

ssh_server_permit_environment_vars: false

ssh_max_startups

maximum number of concurrent unauthenticated connections to the SSH daemon

ssh_max_startups: '10:30:100' # sshd

ssh_ps53

ssh_ps53: 'yes'

ssh_ps59

ssh_ps59: 'sandbox'

ssh_macs

ssh_macs: []

ssh_ciphers

ssh_ciphers: []

ssh_kex

ssh_kex: []

ssh_macs_53_default

ssh_macs_53_default:
  - hmac-ripemd160
  - hmac-sha1

ssh_macs_59_default

ssh_macs_59_default:
  - hmac-sha2-512
  - hmac-sha2-256
  - hmac-ripemd160

ssh_macs_66_default

ssh_macs_66_default:
  - [email protected]
  - [email protected]
  - [email protected]
  - hmac-sha2-512
  - hmac-sha2-256

ssh_macs_76_default

ssh_macs_76_default:
  - [email protected]
  - [email protected]
  - [email protected]
  - hmac-sha2-512
  - hmac-sha2-256

ssh_ciphers_53_default

ssh_ciphers_53_default:
  - aes256-ctr
  - aes192-ctr
  - aes128-ctr

ssh_ciphers_66_default

ssh_ciphers_66_default:
  - [email protected]
  - [email protected]
  - [email protected]
  - aes256-ctr
  - aes192-ctr
  - aes128-ctr

ssh_kex_59_default

ssh_kex_59_default:
  - diffie-hellman-group-exchange-sha256

ssh_kex_66_default

ssh_kex_66_default:
  - [email protected]
  - diffie-hellman-group-exchange-sha256

ssh_custom_selinux_dir

directory where to store ssh_password policy

ssh_custom_selinux_dir: '/etc/selinux/local-policies'

sshd_moduli_file: '/etc/ssh/moduli'
sshd_moduli_minimum: 2048

ssh_challengeresponseauthentication

disable ChallengeResponseAuthentication

ssh_challengeresponseauthentication: false

ssh_server_revoked_keys

a list of public keys that are never accepted by the ssh server

ssh_server_revoked_keys: []

ssh_hardening_enabled

Set to false to turn the role into a no-op. Useful when using the Ansible role dependency mechanism.

ssh_hardening_enabled: true

ssh_custom_options

Custom options for SSH client configuration file

ssh_custom_options: []

sshd_custom_options

Custom options for SSH daemon configuration file

sshd_custom_options: []

Dependencies

None

Example Playbook

- hosts: all
  roles:
    - skriptfabrik.sshd

Author

• Simon Bärlocher
• Frank Giesecke

License

This project is under the MIT License.

Copyright

(c) 2022, skriptfabrik GmbH